introduction to netfilter and iptables - j.eng's site
TRANSCRIPT
Introduction to Netfilter and iptables
by Robby Workmanhttp://slackware.com/~rworkman/
[email protected]://rlworkman.net/
Presented at:Universidade Presbiteriana Mackenzie
for the Slackware ShowEncontro Nacional de Usuarios Slackware
http://slackshow.slackwarebrasil.org/
August 21–22, 2008
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 1 / 37
Table of Contents
1 Overview
2 Xtables
3 Basic iptables syntax
4 Writing rulesets
5 Loading rulesets at boot
6 Usage hints and advanced configuration
7 Other resources
8 Credits
9 About the author
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 2 / 37
Overview
Overview of the Linux packet filter framework
The packet filter framework on Linux is divided into two parts:
Netfilter/Xtables — the kernel-space portioniptables — the user-space portion
Generally speaking, we tend to refer to them collectively as just “iptables”.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 3 / 37
Overview
Overview of the Linux packet filter framework
The packet filter framework on Linux is divided into two parts:
Netfilter/Xtables — the kernel-space portioniptables — the user-space portion
Generally speaking, we tend to refer to them collectively as just “iptables”.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 3 / 37
Overview
Kernel configuration
Use your distribution’s kernelSeriously. :-) If you insist upon building a custom kernel, please do notreport “bugs” in your Linux distribution until you have reproduced themusing the provided kernel. Ignoring this advise is not a good way to createa good impression with your distribution’s maintainer and/or support team.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 4 / 37
Overview
Kernel configuration (cont’d)
If you do build a custom kernel, you will almost surely want to configure allof the Netfilter options as modules (instead of statically compiling it intothe kernel), and select everything except for the things marked as“deprecated” or “obsolete”. Loading or unloading modules is much easierthan rebooting when you are troubleshooting or needing additionalfunctionality.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 5 / 37
Xtables Tables
Tables
filter tablefor doing the actual packet filtering. This is the default table if you donot specify one when entering rules.nat tablefor rewriting packet source and/or destinationmangle tablefor altering packet headers and/or contentsraw tablefor avoiding connection tracking, the NOTRACK target can be used
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 6 / 37
Xtables Built-in chains
Built-in chains
INPUT chainpresent in the mangle and filter tables. Only packets terminating onlocalhost traverse this chain.OUTPUT chainpresent in the raw, nat, mangle and filter tables. Only packetsoriginating on localhost traverse this chain.FORWARD chainpresent in the mangle and filter tables. Only packets that neitheroriginate nor terminate at the local host traverse this chain.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 7 / 37
Xtables Built-in chains
Built-in chains (cont’d)
PREROUTING chainpresent in the raw, nat and mangle tables. Packets traverse this chainbefore a routing decision is made by the kernel.POSTROUTING chainpresent in the nat and mangle tables. Packets traverse this chainafter a routing decision is made by the kernel.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 8 / 37
Basic iptables syntax
Basic iptables syntax
Add or delete a ruleiptables [-t table] -[AD] chain rule-spec [options]
Examples:iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPTiptables -D INPUT -p tcp --dport 22 -j ACCEPT
Note the -A option means “append” — the rule is added to the end of thechain.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 9 / 37
Basic iptables syntax
Basic iptables syntax (cont’d)
Insert a rule into a chainiptables [-t table] -I chain [rulenum] rule-specs [options]
Example:iptables -I INPUT 2 -p tcp --dport 110 -j ACCEPT
This inserts a rule to accept incoming TCP traffic on port 110 directlybefore the existing rule number 2.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 10 / 37
Basic iptables syntax
Basic iptables syntax (cont’d)
Delete a rule from a chain by rule numberiptables [-t table] -D chain [rulenum] [options]
Example:iptables -D INPUT 2
This deletes the rule number 2. Note that you would need to useiptables --line-numbers -L to get the number.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 11 / 37
Basic iptables syntax
Basic iptables syntax (cont’d)
Flush (delete) all rules from a chain
iptables [-t table] -F chain [options]
Examples:iptables -t filter -F INPUTiptables -t nat -F POSTROUTING
You can also add the -Z switch to zero the packet counters as well.Note that all chains in the specified table will be flushed if you do notspecify a chain, and remember that the default chain is filter if one is notspecified.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 12 / 37
Basic iptables syntax
Basic iptables syntax (cont’d)
Set the default chain policyiptables [-t table] -P chain target [options]
Example:iptables -t filter -P INPUT DROP
The chain policy sets the default action to take on the packet if it does notmatch any of the rules in the chain it traverses.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 13 / 37
Basic iptables syntax
Basic iptables syntax (cont’d)
Create a custom chainiptables [-t table] -N chain
Example:iptables -t filter -N State
This creates a custom chain called State in the filter table. You wouldjump to it with something like this:
iptables -t filter -A INPUT -j State
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 14 / 37
Basic iptables syntax
Basic iptables syntax (cont’d)
Delete a custom chainiptables [-t table] -X chain
Examples:iptables -t filter -X State
This deletes the custom State chain we just created.
Note that there must not be any other rules that jump to a custom chainin order to remove it.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 15 / 37
Writing rulesets
Planning
What is the intended purpose of the box?(workstation, router/gateway only, multi-purpose router/gateway plusother services, etc.
If it is going to be a router/gateway, are there any services inside thelocal network that need to be available to the outside?Do you want/need to do egress filtering (filter packets leaving thelocal network)? Note that this is not as simple as it sounds, andgenerally speaking, if you have to ask for help, you do not need it yet;-)
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 16 / 37
Writing rulesets
Planning
What is the intended purpose of the box?(workstation, router/gateway only, multi-purpose router/gateway plusother services, etc.If it is going to be a router/gateway, are there any services inside thelocal network that need to be available to the outside?
Do you want/need to do egress filtering (filter packets leaving thelocal network)? Note that this is not as simple as it sounds, andgenerally speaking, if you have to ask for help, you do not need it yet;-)
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 16 / 37
Writing rulesets
Planning
What is the intended purpose of the box?(workstation, router/gateway only, multi-purpose router/gateway plusother services, etc.If it is going to be a router/gateway, are there any services inside thelocal network that need to be available to the outside?Do you want/need to do egress filtering (filter packets leaving thelocal network)? Note that this is not as simple as it sounds, andgenerally speaking, if you have to ask for help, you do not need it yet;-)
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 16 / 37
Writing rulesets
Setting chain policy
Remember that a chain’s policy decides what happens to packetswhen they “fall off” the chain; that is, if a packet does not match anyof the rules that it sees, the chain policy is applied to it.
Whether you should do a default ACCEPT or DROP policy dependson your needs, but generally speaking, DROP policy is the better optinfor filter table chains (except perhaps OUTPUT), and ACCEPT policyis better on other tables’ chains.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 17 / 37
Writing rulesets
Setting chain policy
Remember that a chain’s policy decides what happens to packetswhen they “fall off” the chain; that is, if a packet does not match anyof the rules that it sees, the chain policy is applied to it.Whether you should do a default ACCEPT or DROP policy dependson your needs, but generally speaking, DROP policy is the better optinfor filter table chains (except perhaps OUTPUT), and ACCEPT policyis better on other tables’ chains.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 17 / 37
Writing rulesets
Rule order
The order of rules is very important. Rules are applied to the packetsin the order in which they were added (within the context of eachindividual table and chain).
As an example, if you append a rule to the filter table’s INPUT chainto DROP packets on port 22, and then append another rule toACCEPT packets on port 22 from a specific IP address, the packetswill still be dropped because they will match the DROP rule beforethey match the ACCEPT rule. The first matching rule “wins”.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 18 / 37
Writing rulesets
Rule order
The order of rules is very important. Rules are applied to the packetsin the order in which they were added (within the context of eachindividual table and chain).As an example, if you append a rule to the filter table’s INPUT chainto DROP packets on port 22, and then append another rule toACCEPT packets on port 22 from a specific IP address, the packetswill still be dropped because they will match the DROP rule beforethey match the ACCEPT rule. The first matching rule “wins”.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 18 / 37
Writing rulesets
Rule order (cont’d)
The last bit about “first matching rule wins” has an exception though:if the matching rule has a “non-terminating” target, then the packetwill continue on to the next rule in the chain.
Some examples of non-terminating targets are the LOG, ULOG andNOTRACK targets.
Note that the ULOG target, while better than the LOG target (IMHO)for routine logging of packets, requires the userspace ulogd package tobei nstalled. It is available from my repo and from slackbuilds.org.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 19 / 37
Writing rulesets
Rule order (cont’d)
The last bit about “first matching rule wins” has an exception though:if the matching rule has a “non-terminating” target, then the packetwill continue on to the next rule in the chain.Some examples of non-terminating targets are the LOG, ULOG andNOTRACK targets.
Note that the ULOG target, while better than the LOG target (IMHO)for routine logging of packets, requires the userspace ulogd package tobei nstalled. It is available from my repo and from slackbuilds.org.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 19 / 37
Writing rulesets
Rule order (cont’d)
The last bit about “first matching rule wins” has an exception though:if the matching rule has a “non-terminating” target, then the packetwill continue on to the next rule in the chain.Some examples of non-terminating targets are the LOG, ULOG andNOTRACK targets.
Note that the ULOG target, while better than the LOG target (IMHO)for routine logging of packets, requires the userspace ulogd package tobei nstalled. It is available from my repo and from slackbuilds.org.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 19 / 37
Writing rulesets
Sample workstation ruleset
First, let’s set our default chain policies:
iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT ACCEPT
Since this is a workstation, you probably do not want to bother withfiltering packets that are leaving (hence the OUTPUT policy of ACCEPT),and since all packets will be terminating on the workstation itself, therewon’t be any need for using the FORWARD chain.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 20 / 37
Writing rulesets
Sample workstation ruleset
First, let’s set our default chain policies:
iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT ACCEPT
Since this is a workstation, you probably do not want to bother withfiltering packets that are leaving (hence the OUTPUT policy of ACCEPT),and since all packets will be terminating on the workstation itself, therewon’t be any need for using the FORWARD chain.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 20 / 37
Writing rulesets
Sample workstation rulset (cont’d)
Now that we have set our chain policies, we need to remove any existingrules from our ruleset.
iptables -F
Since we did not specify a table or chain, this rule defaults to use the filtertable and all chains in that table. This would do the same thing:
iptables -t filter -F INPUTiptables -t filter -F OUTPUTiptables -t filter -F FORWARD
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 21 / 37
Writing rulesets
Sample workstation rulset (cont’d)
Now that we have set our chain policies, we need to remove any existingrules from our ruleset.
iptables -F
Since we did not specify a table or chain, this rule defaults to use the filtertable and all chains in that table. This would do the same thing:
iptables -t filter -F INPUTiptables -t filter -F OUTPUTiptables -t filter -F FORWARD
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 21 / 37
Writing rulesets
Sample workstation ruleset (cont’d)
Now, let’s allow all traffic on the loopback interface:
iptables -A INPUT -i lo -j ACCEPTiptables -A OUTPUT -o lo -j ACCEPT
The -i flag sets the incoming interface (“lo” in this case for loopback), and-o sets the outgoing interface. These are only valid in chains where theymake sense; for example, there is no incoming interface in the OUTPUTchain.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 22 / 37
Writing rulesets
Sample workstation ruleset (cont’d)
We entered these rules in the previous slide:
iptables -A INPUT -i lo -j ACCEPTiptables -A OUTPUT -o lo -j ACCEPT
Since we set our OUTPUT policy to ACCEPT, we really do not need theOUTPUT rule above, but we add it just to be safe (since we might laterchange our OUTPUT policy).The loopback interface is how the machine talks to itself, so it shouldalways be allowed.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 23 / 37
Writing rulesets
Sample workstation ruleset (cont’d)
Next, we will tell the kernel to always accept incoming traffic that belongsto established connections, and traffic that is related to establishedconnections:
iptables -A INPUT -i eth0 -m conntrack --ctstateESTABLISHED,RELATED -j ACCEPT
This assumes that eth0 is the interface which is connected to the internet.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 24 / 37
Writing rulesets
Sample workstation ruleset (cont’d)
We entered this rule in the previous slide:
iptables -A INPUT -i eth0 -m conntrack --ctstateESTABLISHED,RELATED -j ACCEPT
Note that we did not specify a protocol (-p flag) or source/destinationaddress/port. Generally speaking, if something is not specified, then “any”is implied. Be careful with that — you will get an error if you try to passincompatible options to iptables (example follows).
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 25 / 37
Writing rulesets
Sample workstation ruleset (cont’d)
We entered this rule earlier:
iptables -A INPUT -i eth0 -m conntrack --ctstateESTABLISHED,RELATED -j ACCEPT
The RELATED state is exactly what the name implies — it is for packetsthat are not part of an established connection, but are related to it.Examples are FTP data transfers and ICMP error packets.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 26 / 37
Writing rulesets
Sample workstation ruleset (cont’d)
As mentioned in a previous slide, if something is not specified, then “any” isimplied. One example of incompatible options to iptables is:
iptables -A INPUT --dport 22 -j ACCEPT
Since no protocol is specified, this is equivalent to -p all — however,some protocols (ICMP, for example) do not have ports; therefore, this lineis invalid and will result in an error:
iptables v1.4.1.1: Unknown arg “--dport”
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 27 / 37
Writing rulesets
Sample workstation ruleset (cont’d)
As mentioned in a previous slide, if something is not specified, then “any” isimplied. One example of incompatible options to iptables is:
iptables -A INPUT --dport 22 -j ACCEPT
Since no protocol is specified, this is equivalent to -p all — however,some protocols (ICMP, for example) do not have ports; therefore, this lineis invalid and will result in an error:
iptables v1.4.1.1: Unknown arg “--dport”
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 27 / 37
Writing rulesets
Sample workstation ruleset (cont’d)
At this point, we have a functional and secure “firewall” on our workstation.However, we might want to allow ssh connections from remote machines,so we will add this rule:
iptables -A INPUT -i eth0 -p tcp --syn --dport 22 -mconntrack --ctstate NEW -j ACCEPT
This will allow new packets on port 22 with the SYN flag set.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 28 / 37
Loading rulesets at boot
Loading rulesets at boot
We have a secure and functional ruleset now, but sooner or later, we willhave to reboot our workstation. We really do not want to have to type allthat in again, so now what?
On Slackware, we place the iptables commands in/etc/rc.d/rc.firewall — if that file exists and is executable, it will berun during boot from /etc/rc.d/rc.inet1.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 29 / 37
Usage hints and advanced configuration
Usage hints
As much as possible, organize your rules so that most of your trafficwill be matched by earlier rules in the ruleset. System resource usageis minimized by decreasing the number of rules that a packet hitsbefore it matches.
Custom chains can be useful to decrease the number of rules a packethas to hit. For example, you can create separate chains for eachprotocol — there is no need to test UDP traffic against rules that onlyapply to TCP traffic.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 30 / 37
Usage hints and advanced configuration
Usage hints
As much as possible, organize your rules so that most of your trafficwill be matched by earlier rules in the ruleset. System resource usageis minimized by decreasing the number of rules that a packet hitsbefore it matches.Custom chains can be useful to decrease the number of rules a packethas to hit. For example, you can create separate chains for eachprotocol — there is no need to test UDP traffic against rules that onlyapply to TCP traffic.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 30 / 37
Usage hints and advanced configuration
Usage hints (cont’d)
If you have a dynamic ip address and are building a router/gatewaymachine, you should use the MASQUERADE target instead of theSNAT target to rewrite the outgoing packets’ source addresses prior toleaving your network. The MASQUERADE target does the same thingas the SNAT target, but it adds a small amount of overhead inmonitoring the interface. If you have a static ip address, use theSNAT target.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 31 / 37
Usage hints and advanced configuration
Advanced configuration
In order to forward packets across interfaces, the value of/proc/sys/net/ipv4/ip_forward must be set to 1.
iptables is NOT a daemon! It is not something that you “start” and“stop” — regardless of what some distributions’ init scripts mightimply. The iptables userspace tool simply manipulates packetprocessing rules in kernelspace.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 32 / 37
Usage hints and advanced configuration
Advanced configuration
In order to forward packets across interfaces, the value of/proc/sys/net/ipv4/ip_forward must be set to 1.iptables is NOT a daemon! It is not something that you “start” and“stop” — regardless of what some distributions’ init scripts mightimply. The iptables userspace tool simply manipulates packetprocessing rules in kernelspace.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 32 / 37
Usage hints and advanced configuration
Usage hints (cont’d)
While Slackware’s /etc/rc.d/rc.firewall script’s format usesactual iptables invocations to load rules into the kernel, somedistributions instead use iptables-restore to load a complete rulesetgenerated from iptables-save atomically
If you have a very large set of rules, you will probably want to considerusing the combination of iptables-save and iptables-restore instead, asit is generally faster — we will discuss why on the next slide.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 33 / 37
Usage hints and advanced configuration
Usage hints (cont’d)
While Slackware’s /etc/rc.d/rc.firewall script’s format usesactual iptables invocations to load rules into the kernel, somedistributions instead use iptables-restore to load a complete rulesetgenerated from iptables-save atomicallyIf you have a very large set of rules, you will probably want to considerusing the combination of iptables-save and iptables-restore instead, asit is generally faster — we will discuss why on the next slide.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 33 / 37
Usage hints and advanced configuration
Advanced configuration (cont’d)
When using the iptables binary to add rules to the kernel, the processworks something like this:
1 read entire ruleset from kernel2 add new rule to ruleset3 load modified ruleset into kernel4 repeat steps 1-3 for each new rule
with iptables-restore, the entire ruleset is loaded into the kernel in onepass, resulting in a much faster load time.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 34 / 37
Usage hints and advanced configuration
Advanced configuration (cont’d)
When using the iptables binary to add rules to the kernel, the processworks something like this:
1 read entire ruleset from kernel2 add new rule to ruleset3 load modified ruleset into kernel4 repeat steps 1-3 for each new rule
with iptables-restore, the entire ruleset is loaded into the kernel in onepass, resulting in a much faster load time.
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 34 / 37
Other resources
Other resources
Netfilter Home Pagehttp://netfilter.org/
Oskar Andreasson’s iptables Tutorialhttp://iptables-tutorial.frozentux.net/mirror (my site): http://iptables.rlworkman.netDaniel de Graaf’s Home Pagehttp://danieldegraaf.afraid.org/info/iptables/
Book: “Linux Firewalls” by Robert Zeigler and Steve Suehring(available on amazon.com)
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 35 / 37
Credits
Credits and acknowledgments
Thanks to Robert Zeigler, whose second edition of “Linux Firewalls”was invaluable in my learningThanks to both the Slackware team and the guys on cardinal(http://cardinal.lizella.net/) for tolerating my incessantrambling while writing this :-)Thanks to Jan Engelhardt for reviewing this for technical accuracyThanks to Oskar Andreasson for the iptables tutorial — it wasinvaluable in closing some gaps in my understanding
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 36 / 37
About the author
About the author
Robby Workman lives in a rural area outside Tuscaloosa, Alabama, USAwith his wife and daughter. He has been a Linux and Slackware user sinceJuly 2004, and a member of the Slackware development team sinceJanuary 2007. He also is a founding member and current admin of theSlackBuilds.org project, which was created in July of 2006.
Feedback and suggestions are welcome at any of the following addresses:[email protected]@[email protected]
A copy of this presentation can be found at:http://rlworkman.net/slackshowbrasil/
R. Workman ( Presented at: Universidade Presbiteriana Mackenzie for the Slackware Show Encontro Nacional de Usuarios Slackware http://slackshow.slackwarebrasil.org/)Introduction to Netfilter and iptables August 21–22, 2008 37 / 37